From owner-freebsd-security Tue Aug 7 8:51:56 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248]) by hub.freebsd.org (Postfix) with SMTP id 453F937B40A for ; Tue, 7 Aug 2001 08:51:49 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 743 invoked by uid 1000); 7 Aug 2001 15:50:37 -0000 Date: Tue, 7 Aug 2001 18:50:37 +0300 From: Peter Pentchev To: "Douglas G. Allen" Cc: Max Clements , freebsd-security@freebsd.org Subject: Re: ipfw question Message-ID: <20010807185037.B495@ringworld.oblivion.bg> Mail-Followup-To: "Douglas G. Allen" , Max Clements , freebsd-security@freebsd.org References: <200108071050370603.00D90CE5@mail.roe35.lth2.k12.il.us> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200108071050370603.00D90CE5@mail.roe35.lth2.k12.il.us>; from dallen@roe35.lth2.k12.il.us on Tue, Aug 07, 2001 at 10:50:37AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Aug 07, 2001 at 10:50:37AM -0500, Douglas G. Allen wrote: > Max, > > >Nope - it is the netmask that you associate with one host... > >ifconfig is quite corrent in NOT rejecting it as it is right to use it with > >an alias... > > My understanding, based upon a lot of reading and some discussions on Sunday in stable, was that only the first IP address was given the true network mask. The aliases had to be given the 255.255.255.255 netmask in order for it to work. Otherwise arp might complain, as it did with two cards active on the machine. Absolutely correct. The alias should be defined with an all 1's netmask. > >Nope an alias that is on the same IP segment as the main interface must have > >a netmask of all ones, i.e., 255.255.255.255 or of you like that in hex > >0xffffffff. Please refer to the FreeBSD /etc/defaults/rc.conf file and see: > >-- > >#ifconfig_lo0_alias0="inet 127.0.0.254 netmask 0xffffffff" # Sample alias > >entry. > >-- > > Ok, that backs up my interpretation above. Now, how do I get ipfw to allow me to write rules that will filter on both rules and leave both the true address and the alias active and able to see the network? > > I've tried firewalling just the true address, firewalling both addresses with the true netmask, firewalling the true address with the actual mask and the alias with 255.255.255.255. In each case, I could get the true address see the network and the ipfw rules worked as expected. However the alias didn't function in each case. Any suggestions? I don't think the 'client' firewall rules per se are supposed to work for more than one IP address. You'll need to take them as a base, and write up your own firewall script. G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message